From 0e87ff3396113a9e66e37bd591bdb3e6de0335b7 Mon Sep 17 00:00:00 2001
From: dufuhang <dufuhang@kylinos.cn>
Date: Tue, 14 May 2024 14:32:07 +0800
Subject: [PATCH 1/2] Fail if SSLInsecureRenegotiation is used with mod_ssl,
 CVE-2009-3555 is now approaching 15 years old.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation):
  Fail if used.
  (ssl_config_server_new, ssl_config_server_merge): Remove insecure
  reneg handling.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Remove
  insecure_reneg handling.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1917600 13f79535-47bb-0310-9956-ffa450edef68
---
 fix-CVE-2009-3555.patch | 88 +++++++++++++++++++++++++++++++++++++++++
 httpd.spec              | 10 ++++-
 2 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 fix-CVE-2009-3555.patch

diff --git a/fix-CVE-2009-3555.patch b/fix-CVE-2009-3555.patch
new file mode 100644
index 0000000..52e29e8
--- /dev/null
+++ b/fix-CVE-2009-3555.patch
@@ -0,0 +1,88 @@
+From 702e7f7d1e004e03fc3392ab902c3642ced48255 Mon Sep 17 00:00:00 2001
+From: dufuhang <dufuhang@kylinos.cn>
+Date: Tue, 14 May 2024 14:09:59 +0800
+Subject: [PATCH] Fail if SSLInsecureRenegotiation is used with mod_ssl,
+ CVE-2009-3555 is now approaching 15 years old.
+
+* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation):
+  Fail if used.
+  (ssl_config_server_new, ssl_config_server_merge): Remove insecure
+  reneg handling.
+
+* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Remove
+  insecure_reneg handling.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1917600 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/ssl/ssl_engine_config.c | 11 +----------
+ modules/ssl/ssl_engine_init.c   |  5 -----
+ modules/ssl/ssl_private.h       |  1 -
+ 3 files changed, 1 insertion(+), 16 deletions(-)
+
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 82ef221..7c92e7f 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -223,7 +223,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
+     sc->vhost_id_len           = 0;     /* set during module init */
+     sc->session_cache_timeout  = UNSET;
+     sc->cipher_server_pref     = UNSET;
+-    sc->insecure_reneg         = UNSET;
+ #ifdef HAVE_TLSEXT
+     sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
+ #endif
+@@ -396,7 +395,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
+     cfgMerge(enabled, SSL_ENABLED_UNSET);
+     cfgMergeInt(session_cache_timeout);
+     cfgMergeBool(cipher_server_pref);
+-    cfgMergeBool(insecure_reneg);
+ #ifdef HAVE_TLSEXT
+     cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
+ #endif
+@@ -889,14 +887,7 @@ const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
+ 
+ const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+ {
+-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+-    sc->insecure_reneg = flag?TRUE:FALSE;
+-    return NULL;
+-#else
+-    return "The SSLInsecureRenegotiation directive is not available "
+-        "with this SSL library";
+-#endif
++    return "The SSLInsecureRenegotiation directive is no longer supported";
+ }
+ 
+ 
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index e42672e..bbe77c5 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -827,11 +827,6 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+     }
+ #endif
+ 
+-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+-    if (sc->insecure_reneg == TRUE) {
+-        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+-    }
+-#endif
+ 
+     SSL_CTX_set_app_data(ctx, s);
+ 
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index cd8df07..a7233a4 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -793,7 +793,6 @@ struct SSLSrvConfigRec {
+     int              vhost_id_len;
+     int              session_cache_timeout;
+     BOOL             cipher_server_pref;
+-    BOOL             insecure_reneg;
+     modssl_ctx_t    *server;
+ #ifdef HAVE_TLSEXT
+     ssl_enabled_t    strict_sni_vhost_check;
+-- 
+2.27.0
+
diff --git a/httpd.spec b/httpd.spec
index 61ed127..76ce2c4 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.58
-Release:          2
+Release:          3
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -76,7 +76,7 @@ Patch22:          backport-CVE-2024-24795-let-httpd-handle-CL-TE-for-non-http-ha
 Patch23:          backport-CVE-2023-38709-header-validation-after-content.patch
 Patch24:          backport-CVE-2024-27316-bail-after-too-many-failed-reads.patch
 Patch25:          backport-remove-dependency-on-xmlstring-header.patch
-
+Patch26:          fix-CVE-2009-3555.patch
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
 BuildRequires:    apr-devel >= 1.5.0 apr-util-devel >= 1.5.0 pcre2-devel
@@ -512,6 +512,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue May 14 2024 dufuhang <dufuhang@kylinos.cn> - 2.4.58-3
+- Type:CVE
+- ID:CVE-2009-3555
+- SUG:NA
+- DESC:Fail if SSLInsecureRenegotiation is used with mod_ssl
+
 * Mon May 06 2024 chengyechun <chengyechun1@huaiwe.com> - 2.4.58-2
 - Type:CVE
 - ID:CVE-2024-24795,CVE-2023-38709,CVE-2024-27316
-- 
Gitee


From 53994d914e5daafd894a6e92a8d95aef074f7a79 Mon Sep 17 00:00:00 2001
From: dufuhang <dufuhang@kylinos.cn>
Date: Fri, 17 May 2024 17:19:57 +0800
Subject: [PATCH 2/2] modules/proxy/mod_proxy_fcgi.c (dispatch): Only allocate
 a heap buffer if the configured size is greater than the stack-allocated
 buffer.

---
 httpd.spec                                    |  9 +++++-
 ...d_proxy_fcgi.c-dispatch-Only-allocat.patch | 31 +++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 modules-proxy-mod_proxy_fcgi.c-dispatch-Only-allocat.patch

diff --git a/httpd.spec b/httpd.spec
index 76ce2c4..2500227 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.58
-Release:          3
+Release:          4
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -77,6 +77,7 @@ Patch23:          backport-CVE-2023-38709-header-validation-after-content.patch
 Patch24:          backport-CVE-2024-27316-bail-after-too-many-failed-reads.patch
 Patch25:          backport-remove-dependency-on-xmlstring-header.patch
 Patch26:          fix-CVE-2009-3555.patch
+Patch27:          modules-proxy-mod_proxy_fcgi.c-dispatch-Only-allocat.patch
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
 BuildRequires:    apr-devel >= 1.5.0 apr-util-devel >= 1.5.0 pcre2-devel
@@ -512,6 +513,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri May 17 2024 dufuhang <dufuhang@kylinos.cn> - 2.4.58-4
+- Type:enchancement
+- ID:None
+- SUG:NA
+- DESC:Only allocat a heap buffer if the configured size is greater than the stack-allocated buffer.
+
 * Tue May 14 2024 dufuhang <dufuhang@kylinos.cn> - 2.4.58-3
 - Type:CVE
 - ID:CVE-2009-3555
diff --git a/modules-proxy-mod_proxy_fcgi.c-dispatch-Only-allocat.patch b/modules-proxy-mod_proxy_fcgi.c-dispatch-Only-allocat.patch
new file mode 100644
index 0000000..5892b89
--- /dev/null
+++ b/modules-proxy-mod_proxy_fcgi.c-dispatch-Only-allocat.patch
@@ -0,0 +1,31 @@
+From 71f55c425e500c166cec4b6cb7bd83426c51534c Mon Sep 17 00:00:00 2001
+From: dufuhang <dufuhang@kylinos.cn>
+Date: Fri, 17 May 2024 17:08:57 +0800
+Subject: [PATCH] modules/proxy/mod_proxy_fcgi.c (dispatch): Only allocate a
+ heap buffer if the configured size is greater than the stack-allocated
+ buffer.
+
+---
+ modules/proxy/mod_proxy_fcgi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
+index d420df6..dacf3aa 100644
+--- a/modules/proxy/mod_proxy_fcgi.c
++++ b/modules/proxy/mod_proxy_fcgi.c
+@@ -569,7 +569,11 @@ static apr_status_t dispatch(proxy_conn_rec *conn, proxy_dir_conf *conf,
+     *err = NULL;
+     if (conn->worker->s->io_buffer_size_set) {
+         iobuf_size = conn->worker->s->io_buffer_size;
+-        iobuf = apr_palloc(r->pool, iobuf_size);
++	/* Allocate a buffer if the configured size is larger than the
++         * stack buffer, otherwise use the stack buffer. */
++        if (iobuf_size > AP_IOBUFSIZE) {
++            iobuf = apr_palloc(r->pool, iobuf_size);
++        }
+     }
+ 
+     pfd.desc_type = APR_POLL_SOCKET;
+-- 
+2.27.0
+
-- 
Gitee